IMPORTANT: This manual will be archived after 15th December 2025. The manual will be available in a downloadable format and will continue to be updated, but not included as part of the active, searchable, documentation.
LogScale's parsing functions can be used to extract data, or to
identify specific data types, such as dates, time or JSON values from
events.
Table: Parsing Query Functions
Function Default Argument Availability Description base64Decode([as], [charset], field)field
Performs Base64 decoding of a field.
kvParse([as], [excludeEmpty], [field], [override], [separator], [separatorPadding])field
Key-value parse events.
parseCEF([field], [headerprefix], [keeplabels], [labelprefix], [prefix])field
Parses CEF version 0.x encoded messages.
parseCsv(columns, [delimiter], [excludeEmpty], field, [trim])field
Parses a CSV-encoded field into known columns.
parseFixedWidth(columns, [field], [trim], widths)field
Parses a fixed width-encoded field into known columns.
parseHexString([as], [charset], field)field
Parses input from hex encoded bytes, decoding resulting bytes as a
string.
parseInt([as], [endian], field, [radix])field
Converts an integer from any radix or base to base-ten, decimal
radix.
parseJson([exclude], [excludeEmpty], field, [handleNull], [include], [prefix], [removePrefixes])field
Parses specified fields as JSON.
parseLEEF([delimiter], [field], [headerprefix], [keeplabels], [labelprefix], [parsetime], [prefix], [timezone])field
Parses LEEF version 1.0 and 2.0 encoded messages.
parseTimestamp([addErrors], [as], [caseSensitive], field, [format], [timezone], [timezoneAs])format
Parses a string into a timestamp.
parseUri([defaultBase], field, [prefix])field
Extracts URI components from a field.
parseUrl([as], [field])field
Extracts URL components from a field.
parseXml(field, [prefix], [strict])field
Parses specified field as XML.
